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Abstract.  The  first  short  signature  scheme  is  proposed  by  Boneh,  Lynn, 
and  Shacham  (BLS)  in  [8].  This  scheme  uses  the  properties  of  bilinear 
pairings  on  certain  elliptic  curves.  The  main  problem  in  BLS  scheme  is 
the  use  of  special  hash  function  [3,  5,  8].  To  deal  with  this  problem,  many 
cryptographic  schemes  were  proposed  with  cryptographic  hash  functions 
such  as  MD5,  SHA-1  [14].  In  this  paper,  we  propose  a  new  and  efficient 
short  signature  scheme  from  the  bilinear  pairings.  Our  scheme  is  con¬ 
structed  by  Bilinear  Inverse-Square  Diffie-Hellman  Problem  (BISDHP) 
and  does  not  require  any  special  hash  function.  The  exact  security  proofs 
are  also  explained  in  the  random  oracle  model.  We  give  the  implemen¬ 
tation  and  comparison  results  of  the  BLS  and  ZSS  (Zhang,  Safavi,  and 
Susilo)[14]  schemes.  Furthermore,  We  use  this  signature  scheme  to  con¬ 
struct  a  ring  signature  scheme. 

Key  words:  short  signature,  bilinear  pairings,  ring  signature 


1  Introduction 

Digital  signatures  are  the  most  important  cryptographic  primitive  for  the  daily 
life.  Short  signatures  are  needed  in  environments  with  space  and  bandwidth 
constraints.  Upto  pairing-based  cryptography,  the  best  known  shortest  signature 
was  obtained  by  using  the  Digital  Signature  Algorithm  (DSA)  [1]  over  a  finite 
field  Fq.  The  length  of  the  signature  is  approximately  2 logq.  On  the  other  hand, 
when  the  pairing-based  cryptographic  protocol  is  used  the  length  of  the  signature 
is  about  plogq ,  where  p  =  logq/logr  and  r  is  the  largest  prime  divisor  of  the 
number  of  the  points  in  the  elliptic  curve.  For  example,  if  one  uses  RSA  signature 
1024  bit  modulus,  ECDSA  signature  is  320  bit  long  for  the  same  security  level. 
However,  short  signature  provides  the  same  security  level  only  for  160  bits  for 
the  best  choice. 
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Short  Signature  Scheme  From  Bilinear  Pairings 


ORGANIZATION 


In  2001  Boneh,  Lynn  and  Shacham  [8]  proposed  the  idea  of  short  signature 
scheme  by  using  bilinear  pairings.  This  scheme  is  based  on  Weil  pairing  and 
needs  a  special  hash  function.  Over  the  last  years,  there  are  various  applications 
of  bilinear  pairings  in  short  signature  schemes  to  construct  new  efficient  schemes 
[6],  [7],  [14].  The  main  improvement  in  short  signature  schemes  is  the  use  of  cryp¬ 
tographic  hash  function  such  as  MD5  and  SHA-1  instead  of  special  hash  function 
called  MapToPoint  hash  operation.  It  is  known  that  short  signature  scheme  with 
cryptographic  hash  function  is  more  efficient  than  others  since  MapToPoint  hash 
operation  is  still  probabilistic. 

In  this  note,  we  describe  a  new  short  signature  scheme  in  a  similar  setting  in 
ZSS  scheme  [14] .  Our  system  is  based  on  Bilinear  Inverse-Square  Diffie-Hellman 
Problem  a  combination  of  Bilinear  Inverse  Diffie-Hellman  Problem  (BIDHP)  and 
Bilinear  Square  Diffie-Hellman  Problem  (BSDHP).  The  main  advantage  of  our 
scheme  is  that  it  can  be  used  with  any  cryptographic  hash  function  such  as 
MD5,  SHA-1.  To  give  the  exact  security  proofs,  we  define  a  new  problem  called 
inverse  square  problem  with  k  traitors  (A;— ISP).  Then,  the  exact  security  proofs 
of  proposed  scheme  are  also  explained  in  the  random  oracle  model.  We  give  the 
comparison  of  our  scheme  with  the  BLS  scheme  and  ZSS  scheme.  According  to 
the  comparison  results,  our  scheme  is  more  efficient  than  BLS  scheme.  Then,  by 
using  this  scheme,  we  construct  a  ring  signature  scheme. 

This  note  is  organized  as  follows:  Some  preliminaries  about  bilinear  pairings 
and  some  related  problems  to  pairings  are  given  in  Section  2.  Proposed  short 
signature  scheme  and  its  security  analysis  are  explained  in  Section  3.  A  con¬ 
struction  of  ring  signature  scheme  is  given  in  Section  4.  We  conclude  in  Section 
5. 

2  Pairing-Based  Cryptography 

In  this  section,  we  give  some  facts  about  bilinear  pairings  and  define  some  new 
problems.  The  proposed  short  signature  scheme  uses  fascinating  properties  of 
bilinear  pairings  like  others. 

2.1  Bilinear  Pairings 

Definition  1.  Let  G\  and  Gi  be  additive  cyclic  groups  of  order  n.  Let  G 3  be  a 
multiplicative  cyclic  group  of  order  n.  A  bilinear  pairing  is  an  efficiently  com¬ 
putable  map  e  :  Gi  x  Gi  — *  G 3  which  satisfies  the  following  additional  proper¬ 
ties: 

1.  (bilinearity)  For  all  P,  R  £  G 1  and  all  Q,S  £  G2,  we  have  e(P  +  R,Q)  = 
e(P,  Q)e(R ,  Q)  and  e(P,  Q  +  S)  =  e(P,  Q)e(P,  S ) . 

2.  (non-degeneracy)  For  all  P  £  G±,  with  P  7^  IdGl,  there  is  some  Q  £  G2  such 
that  e(P,  Q)  =£  1.  For  all  Q  £  G2,  with  Q  7^  IdG2,  there  is  some  P  £  G\  such 
that  e(P,Q)  7^  1.  When  G 1  =  G2  and  n  is  prime,  e(P,P)  is  a  generator  of 
G3  for  all  P  ^  IdGl 
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The  following  lemma  which  is  related  to  the  properties  of  bilinear  pairings  can 
be  easily  verified. 

Lemma  1.  Let  e  :  G\  x  — >  G3  be  a  bilinear  pairing.  Let  P  £  G i  and 

Q  €  G2.  Then 

1.  e(P,  0)  =  e(0,  Q)  =  1 

2.  e(-P1Q)=e(P,-Q)  =  e(P,Q)~1 

3.  e(kP ,  Q)  =  e(P,  kQ)  =  e(P,  Q)k  for  all  k  £  Z. 

4-  e(kP,lP)  =  e(P,  P)kl  for  all  k,  l  £  Z. 

2.2  Some  Problems 

We  consider  the  following  problems  in  the  additive  group  (G,  +)  of  order  n. 

—  Discrete  Logarithm  Problem  (DLP)  :  For  P,Q  £  G,  find  k  £  Z*  such 
that  Q  =  kP  whenever  such  k  exists. 

—  Decisional  Diffie- Heilman  Problem  (DDHP)  :  For  a,b,c  £  Z*,  given 
P,  aP,  bP,  cP  decide  whether  c=ab  (mod  n ) . 

—  Computational  Diffie- Heilman  Problem  (CDHP)  :  For  a,b  £  Z*, 

given  P,  aP,  bP  compute  abP. 

There  are  two  variations  of  CDHP: 

—  Inverse  Computational  Diffie-Hellman  Problem  (ICDHP)  :  For  a  £ 

Z*,  given  P,  aP,  compute  a_1P. 

—  Square  Computational  Diffie-Hellman  Problem  (SCDHP)  :  For  a  £ 

Z* ,  given  P,  aP,  compute  a2P. 

The  following  theorem  shows  the  relation  of  these  problems  that  the  proof  can 
be  found  in  [13]. 

Theorem  1.  CDHP,  ICDHP  and  SCDHP  are  polynomial  time  equivalent. 

The  security  of  some  applications  of  bilinear  pairings  in  cryptography  relies  on 
the  difficulty  of  Bilinear  Diffie-Hellman  Problem  (BDHP)  which  was  first  stated 
in  [5]. 

Definition  2.  Let  G  be  a  finite  additive  cyclic  group  of  order  n  with  a  generator 
P,  let  e  be  a  bilinear  pairing  on  G,  and  let  a ,  b ,  c  be  integers.  The  BDHP  is  to 
compute  the  value  of  the  bilinear  pairing  e(abcP,P),  whenever  aP,  bP  and  cP 
are  given. 

The  well  known  pairing-based  protocols  are  three-party  key  exchange  in  one 
round  protocol  proposed  by  Joux  in  [10],  identity-based  encryption  scheme  by 
Boneh-Franklin  in  [5]  and  short  signature  scheme  by  Boneh-Lynn-Shacham  in  [8] 
that  the  security  of  them  depends  on  the  BDHP.  There  are  variants  of  BDHP: 

—  Bilinear  Inverse  Diffie-Hellman  Problem  (BIDHP)  :  For  a,b  £  Z*, 

given  P,  aP,  bP  to  compute  e(P,  P)°  b. 
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—  Bilinear  Square  Diffie-Hellman  Problem  (BSDHP)  :  For  a,b  £  Z* , 

given  P,  aP,  bP  to  compute  e(P,  P)a  b. 

It  is  not  hard  to  obtain  Bilinear  Inverse-Square  Diffie-Hellman  Problem  as  a 
combination  of  BID  HP  and  BSDHP: 

—  Bilinear  Inverse-Square  Diffie-Hellman  Problem  (BISDHP)  :  For 

a,b  S  Z*,  given  P,  aP,  bP  to  compute  e(P,  P)a  2fc. 

Theorem  2.  BDHP,  BID  HP,  BSDHP  and  BISDHP  are  polynomial  time  equiv¬ 
alent. 


Proof.  BDHP  =>  BIDHP  is  trivial. 

BIDHP  =>  BSDHP  : 

Given  P,  aP,  bP ,  set  the  input  of  BIDHP  as 

Q  =  aP,  Q\  =  P  =  a_1Q,  Q2  =  bP  =  ba~1Q, 


then  BIDHP  outputs 

e(Qi,Q2)  =  e(Q,Q)(“_1)_lha_1  =  e(«P,«P)b  =  e(P,P)“2& 
BSDHP  =>  BISDHP  : 

Given  P,  a2P,  bP,  set  the  input  of  BSDHP  as 

Q  =  a2P ,  Q\  =  a~2Q  =  P,  Q2  =  a~2bQ  =  bP, 
then  BSDHP  outputs 

e(Qi,Q2)  =  e{Q,Q)^2ba~2  =  e(P,P)“"2b 


BISDHP  =>  BDHP  : 

Given  P,  aP,  bP,  cP ,  set  the  input  of  BSDHP  as  the  triples 

(P,  aP,  cP),  (P,  bP,  cP),  (P,  «P  +  bP,  cP), 

then  we  have  e(P, P)a  c,  e(P, P)b  c  and  e(P, P)(a+b)  c,  respectively.  There¬ 
fore,  we  obtain 


e(p,pr=(g(p;;^r,)i/a 


□ 


3  New  Short  Signature  Scheme  From  Bilinear  Pairings 

In  this  section,  we  propose  our  signature  scheme,  and  then  explain  its  security. 
We  compare  our  scheme  with  BLS  and  ZSS  schemes. 
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3.1  Signature  Scheme 

A  signature  scheme  consists  of  four  steps  :  a  parameter  generation  algorithm 
ParamGen,  a  key  generation  algorithm  KeyGen,  a  signature  generation  algorithm 
Sign  and  a  signature  verification  algorithm  Verify. 

We  describe  the  new  signature  scheme  as  follows  : 

Let  (Gi,+)  and  (G2,-)  be  cyclic  groups  of  prime  order  n,  P  £  G i,  G\  =< 

P  >  and  e  :  G\  x  G\  — >  G2  be  a  bilinear  map.  Let  H ( x )  be  cryptographic  hash 
function  such  as  MD5,  SHA-1.  Suppose  that  A  wants  to  send  a  signed  message 
to  B. 

—  ParamGen  :  {Gi,  G2,  e,  n,  P,  H} 

—  KeyGen  :  Let  H  :  Z%°  — >  Z£,  where  160  <  A  <  log(n)  be  a  cryptographic 
hash  function  such  as  SHA1  or  MD5.  A  randomly  selects  ieZ„  and  com¬ 
putes  Ppubi  =  x2P  and  Ppub2  =  2 xP.  In  this  structure,  P,  Ppubi  and  Ppu f,2 
are  the  public  keys,  x  is  the  secret  key. 

—  Sign  :  Given  a  secret  key  x  and  a  message  to,  A  computes  the  signature, 
s  =  ( H(m )  +  x)~2P. 

—  Verify  :  Given  the  public  keys  P,  Ppubi  and  Ppub2 ,  a  message  to  and  a 
signature  s,  B  verifies  the  signature  if 

e(H(m)2P  +  PpUbi  +  Ppub2H(m),s)  =  e(P,  P)  holds. 

Proof.  By  using  Bilinear  Inverse-Square  Diffie-Hellman  Problem, 

+  x)2P ,  (if  (to)  +  a;)-2P)  =  e(P,  p)(.H(m)+x)\H(m)+x)-2  =  e(P)  p)_ 

3.2  Signature  Security 

The  well-known  attacks  against  signature  schemes  are  without  message  attack 
and  chosen-message  attack.  The  strongest  version  of  these  attacks  is  an  adaptive 
chosen-message  attack.  In  this  scenario,  the  attacker  can  ask  the  signer  to  sign 
any  message  that  he/she  chooses.  He  also  knows  the  public  key  of  the  signer. 
Then,  he  can  customize  his  queries  according  to  the  previous  message  and  chosen 
signature  pairs. 

The  strongest  notion  of  security  for  signature  schemes  that  is  existentially  un- 
forgeable  under  adaptive  chosen-message  attack  was  defined  by  Goldwasser,  Mi- 
cali  and  Rivest  [9].  Here,  we  use  the  definition  of  exact  secure  signature  schemes 
by  Bellare  and  Rogaway  [4]  stated  as  follows: 

Definition  3.  A  signature  scheme  S  =<  ParamGen,  KeyGen,  Sign.  Verify  >  is 
(t,  qH,qs j  e)- existentially  unforgeable  under  adaptive  chosen-message  attack  if  for 
every  probabilistic  polynomial  time  forger  algorithm  T  running  in  t  processing 
time,  at  most  qn  queries  to  the  hash  oracle  and  q$  signatures  queries,  there  does 
not  exist  a  non-negligible  probability  e. 

A  signature  scheme  S  is  ( t ,  qn,  qs >  e)-secure  if  there  is  no  forger  who  ( t ,  qn,  qs,  e) 
breaks  the  scheme. 
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We  introduce  a  new  problem  that  was  called  k-ISP  (inverse  square  problem 
with  k  traitors)  to  give  the  security  proof  of  the  new  signature  scheme.  This 
problem  is  similar  to  k-CAA  (collusion  attack  algorithm  with  k  traitors)  that 
was  proposed  by  Mitsunari,  Sakai  and  Kasahara  in  [11]. 

Definition  4  (k-ISP).  For  an  integer  k,  and  x  £  Zra,  P  £  G i,  given 

{P,  xP,HuH2,---,  Hk ,  (ffx  +  x)~2P,  (H2  +  x)~2P ,  ■■■,(Hk  +  x)~2P}, 

compute  ( H  +  x)~2P  for  some  H  ^  {Hi,  H2,  ■  ■  ■ ,  Hk}. 

k-ISP  is  (t,  e)-hard  if  for  any  t-time  adversaries  A,  we  have 


r  A(P,  xP,  Hu  H2,  ■  ■  ■ ,  Hk,  (H,  +  x)-2P,  (. H2  +  x)~2P, 

(Hk  +  x)-2P)\x£Zn,P£G1,HllH2,---,Hk£Zn) 

1  =(H  +  x)~2P,H  $  {HuH2,---,Hky 


<  e 


(1) 


where  e  is  negligible. 

The  following  theorem  shows  that  proposed  signature  scheme  is  secure  against 
the  adaptive  chosen-message  attack. 

Theorem  3.  If  there  exists  a  {t,qu,Qs>£) -forger  T  using  an  adaptive  chosen 
message  attack  for  the  signature  scheme  proposed  in  Section  3.1,  then  there  exists 
a  (t  ,e  )  —  algorithm  A  solving  qs  —  ISP ,  where  t  =  t  and  e  >  (^ )qs  ■  £■ 

Proof.  Assume  that  the  output  of  the  hash  function  is  uniformly  distributed  and 
the  hash  oracle  will  give  a  correct  response  for  any  hash  query. 

Suppose  that  a  forger  T  (t,  qu,  qs,  e) -break  the  signature  scheme  using  an 
adaptive  chosen  message  attack.  One  needs  an  algorithm  A  to  solve  qs  —  ISP.  In 
this  structure,  the  challenge  is  to  compute  ( H+x)~2P  for  some  H  ^  {Hi,H2,  ■  ■  ■ ,  Hk} 
for  given  P  £  Gi,  Ppub  1  =  x2P ,  Ppub2  =  2 xP,  Ht ,  H2.  •  •  • ,  HQa  £  Zn  and 
(H±  +  x)~2P ,  (H2  +  x)~2P ,  •  •  • ,  (Hq,  +  x)~2P) 

A  is  the  signer  and  answers  hash  and  signing  queries  by  itself.  Algorithm  is 
as  follows: 

Step  1:  {Hi,  H2,  •  •  • ,  Hqn}  are  the  responses  of  the  hash  oracle  queries  for  the 
corresponding  messages  {mi, m2 ,  •  •  • , mqH}. 

Step  2  :  T  makes  a  signature  oracle  query  for  each  Hi  for  1  <  i  <  qn  ■  If  the  hash 
oracle  answers  truely,  A  returns  ( Hi  +  x)~2P  to  T  as  the  response.  Otherwise, 
the  process  stops. 

Step  3:  T  outputs  a  message-signature  pair  (m,  S ).  The  hash  value  of  m  is  some 
H  and  H  ^  {H\,H2,  •  •  • ,  Hqn }.  It  satisfies: 


e{x2P+2xP  +  H2P1S)=e(P,P)  (2) 

So,  S  =  (H  +  x)~2P.  A  outputs  ( H,S )  as  a  solution  of  challenge. 

Since  the  operations  are  the  same  for  A  and  T ',  the  running  time  of  A  and 
T  is  equal,  t  =  t  .  The  success  probability  of  A  is  ^  is  Step  2.  A  will  not  fail 
with  probability  p  >  (^-)qs.  Then,  the  success  probability  of  the  algorithm,  A 
for  all  steps  is  e  >  (^)9S  ■  e.  This  completes  the  proof.  □ 


13-6 


RTO-MP-IST-091 


Short  Signature  Scheme  From  Bilinear  Pairings 


Note  that,  one  can  obtain  a  good  bound  if  qs  and  qn  are  very  closed. 

We  now  introduce  a  new  problem  proposed  by  Mitsunari  et.  al  [11].  The 
problem  was  called  k-wCDHP  (&-weak  Computational  Diffie-Hellman  Prob¬ 
lem). 

Definition  5  (k-wCDHP).  For  an  integer  k,  and  x,  Ft  £  Z„,  P  £  G given 
k  +  1  values 

{P,  ( H  +  x)P.  ( H  +  x)2P ,  +  x)kP}, 

compute  ( H  +  x)~lP. 

We  define  a  new  problem  that  is  called  k+1-IEP  (k  +  1  Inverse  Exponent 
Problem)  to  give  a  specific  evaluation  of  the  security  of  our  proposed  signature 
scheme. 

Definition  6  (k+1-IEP).  For  an  integer  k,  and  a  £  Zn,  P  £  G i,  given  k  +  1 
values 

{P,  aP,  a~2P,  •  •  • ,  a~kP}, 

compute  a~ (fe+1)p. 

Theorem  4.  k-wCDHP  and  k+1-IEP  are  polynomial  time  equivalent. 

Proof.  k-wCDHP  =>  k+1-IEP  : 

Given  k  +  1  values  P,  (Ft  +  x)~1P ,  (Ft  +  x)~2P1  ■  ■  ■ ,  (Ft  +  x)~kP ,  let  Q  = 
(H  +  x)~kP ,  tQ  =  (H  +  xj-^-^P,  and  so  t  =  (H  +  x). 

Set  the  input  of  k-wCDHP  to  be 

(H  +  x)~kP  =Q,(H  +  ^-(fc-Pp  =  tQ ,  (H  +  a;)_(fe_2)p  =  t2Q, 

(H  +  aO^P  =  tk~kQ,  P  =  tkQ. 

Then,  k-wCDHP  outputs 

t-1Q  =  (H  +  x)-1(H  +  x)-kP=(H  +  x)~{k+1). 

k+1-IEP  =>  k-wCDHP  : 

Given  k+1  values  P,  ( H+x)P ,  (H+x)2P,  •  •  • ,  ( H+x)kP ,  let  Q  =  (H+x)kP, 
t~xQ  =  (H  +  ;r)(fc-1)P,  and  so  f  =  (Ft  +  x). 

Set  the  input  of  k+  1-IEP  to  be 

(H  +  x)kP  =  Q,(H  +  a:)(fc_1)P  =  (ff  +  x)(k~2)P  =  t~2Q ,  •  •  • , 

(74  +  a:)P  =  P  =  t~kQ. 

Then,  k+  1-IEP  outputs 

t-(k+PQ  =  (H  +  x)~1P. 


□ 


RTO-MP-IST-091 


13-7 


Short  Signature  Scheme  From  Bilinear  Pairings 


ORGANIZATION 


We  note  that  k+1-IEP  and  k-wCDHP  are  no  harder  than  the  CDHP.  There 
is  a  special  case  that  k+1-IEP  or  k-wCDHP  can  be  easily  solved  : 

Given 


P0  =  P,  Pi  =  {H  +  x)~lP,  P2  =  {H  +  x)~2P,  ■■■,Pk  =  (H  +  x)~kP , 

if  Pi  =  Pj  for  i  ^  j,  this  means  that  ( H  +  x)~lP  =  ( H  +  x)~^ P  (mod  q ),  so 
the  order  of  (H  +  x)  in  Zg  is  j  —  i.  Then, 

{H  +  x)~lP  =  Pj-i-i  or  (H  +  x)k+1P  =  Pk+1  mod  u_i). 


This  case  gives  an  attack  on  our  proposed  signature  scheme.  However,  because 
of  considering  ( H  +  2;)  as  a  random  element  in  Z*,  we  can  show  that  the  success 
probability  of  this  attack  is  negligible. 

Let  q  be  a  prime.  Then,  for  any  a  £  Z*,  the  order  of  a,  ord(a),  is  a  divisor 
of  g  —  1.  Given  k  >  1,  assume  that  the  number  of  element  a  £  Z*  such  that 
ord(a )  <  k  is  given  by  N.  Since  Z9  is  a  field,  N  <  k2  for  k  >  1.  Let  p  be  the 
probability  that  a  randomly  chosen  element  in  Z*  has  order  less  than  k,  then 

N  k 2 
P=  —  <  —  ■ 


This  gives  us  an  opportunity  to  give  a  bound  on  k ,  such  as,  if  q  ss  2256,  we  limit 
k  <  264,  which  means  that  the  attacker  has  at  most  264  message-signature  pairs. 
Therefore,  using  the  above  attack,  the  success  probability  is 

(264)2 


2256 


=  2-128  «  0.29387  x  10"38. 


As  a  result,  we  have  the  following  corollary. 

Corollary  1.  Assume  that  there  is  no  polynomial  time  algorithm  to  solve  the 
problem  k+1-IEP  with  non-negligible  probability,  then  the  proposed  signature 
scheme  is  secure  under  the  random  oracle  model. 


3.3  Efficiency 

We  compare  our  signature  scheme  with  the  BLS  scheme  and  ZSS  scheme  from 
the  implementation  point  of  view.  PO,  SM ,  PA,  Squ,  Inv,  MTP  and  H  denote 
the  pairing  operation,  scalar  multiplication  in  Gi,  point  addition  in  Gi,  squaring 
in  Zn,  inversion  in  Zn,  MapToPoint  hash  operation  and  hash  operation  in  Z„, 
respectively.  Table  1  summarizes  the  result. 

We  implemented  proposed  signature  scheme  by  using  Pairing-Based  Cryptog¬ 
raphy  (PBC)  Library  [2]  and  GMP  library.  Both  libraries  are  installed  as  default 
installation.  We  run  Cygwin  as  Linux  simulator  for  GMP.  The  performance  of 
signature  schemas  was  measured  on  an  Intel  Core  Duo  1,6  GHz  with  2  GB  RAM, 
running  Windows  XP  SP2.  We  have  used  standard  functions  of  GMP/PBC  and 
compiled  by  GNU  C  Compiler.  It  should  be  noted  that  computation  of  pairing 
is  the  most  time-consuming  part  in  short  signature  schemes.  According  to  the 
implementation  result  given  in  Table  2,  our  new  scheme  is  more  efficient  than 
BLS  scheme  since  it  requires  less  pairing  operation. 
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Table  1.  Comparison  of  our  scheme  with  the  BLS  scheme  and  ZSS  scheme 


BLS 

ZSS 

Proposed 

Key  Generation 

1  SM 

1  SM 

2  SM 

Signing 

1  MTP,  1  SM 

1  H,  1  Inv,  1  SM 

1  H,  1  Squ,  1  Inv,  1  SM 

Verification 

1  MTP,  2  PO 

1  H,  1  SM,  1  PO 

1  II,  1  Squ,  1  SM,  2  PA,  1  PO 

Table  2.  Time  comparison  of  our  scheme  with  the  BLS  scheme  and  ZSS  scheme 


BLS 

ZSS 

Proposed 

All  time  including 

Key  Generation,  Signing 
and  Verification 

0.171000s 

0.098000s 

0.101000s 

4  A  Ring  Signature  Scheme 

Ring  signature  schemes  were  proposed  in  [12].  Main  purpose  of  a  ring  signature 
is  to  provide  anonymity  for  the  signer,  by  making  it  impossible  to  determine  who 
among  the  possible  signers  is  the  actual  one.  By  this  way,  the  signature  provides 
anonymity  for  the  signer.  Ring  signature  schemes  satisfy  signer  ambiguity  and 
security  against  an  adaptive  chosen  message  attack.  A  ring  signature  scheme  is 
defined  by: 


—  ring  signing  (to,  Pi,  Pj,  •  •  • ,  Pr,  Xi)  produces  a  ring  signature  a  for  the  mes¬ 
sage  to  and  a  ring  with  r  members,  given  the  public  keys  Pi,  P2,  ■  ■  ■ ,  Pr 
together  with  secret  key  of  the  signer  a 

—  ring  verifying  A  signature  pair  (m,  a)  includes  the  public  keys  of  the  all 
the  ring  members  i.e.  possible  signers. 

The  system  parameters  are  {G\,  G2,  e,  n,  r,  P,  H}  which  are  defined  in  Sec¬ 
tion  3.1. 


—  Sign:  Assume  that  the  ith  member  of  the  ring  sign  the  message.  Let  the 
public  keys  of  the  ring  members  be  Ppubij  and  Ppub2j,  the  secret  key  of  the 
signer  be  Xi.  Then, 

r—  1  r— 1 

Si  =  {H(m)  +  Xi)~2P  +  (H(m)  ^  2  XjP  +  ^  (xj  P  +  H  (m)2  P)) 

—  Verify: 

r 

He((H(m)+xj)2P,Si)=e(P,P). 

3= 1 
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Proof. 

r 

Y[e((H(m)  +  Xj)2P,Si) 

i=i 

r 

=  e(Y,(H(m)  +  x2J)P,Sl) 
j= i 

r  r—  1 

—  e(^2(H(m)  +  x2)P,(H(m)  +  Xi)~2P  +  (H(m)  ^  2xjP 

j— 1  j=h&3 

1 - 1 

+  E  + H(m)2p)) 

=  e(P.P). 

The  security  of  the  proposed  ring  signature  scheme  is  similar  as  given  in 
Section  3.2  since  it  is  based  on  the  signature  scheme  described  in  Section  3.1. 

5  Conclusion 

In  this  note,  we  propose  a  new  short  signature  scheme  not  requiring  any  special 
hash  function.  The  security  of  this  signature  scheme  depends  on  a  new  problem 
called  Bilinear  Inverse-Square  Diffie-Hellman  Problem  (BISDHP).  It  is  shown 
that  this  problem  and  BDHP  are  polynomial  time  equivalent.  We  also  propose 
a  new  complexity  assumption  called  the  k  +  1  inverse  exponent  problem.  The 
exact  security  proofs  are  also  explained  in  the  random  oracle  model.  We  give 
the  implementation  and  comparison  results  of  the  BLS  and  ZSS  schemes.  Ac¬ 
cording  to  the  implementation  results,  our  new  scheme  is  more  efficient  than 
BLS  scheme  since  it  requires  less  pairing  operation.  Then,  we  construct  a  ring 
signature  scheme  based  on  proposed  scheme. 
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